Alternatively, we could surround the script with a “” and “// deobfuscated.txt” we can print the deobfuscated string to a new file. Luckily, there’s an alternative: “cscript”. Our printing command shows us the decoded output in a pop-up window, which is too small to contain the entire code:Ĭopy pasting the entire text is not feasible either. Using a command prompt and the “wscript” command, we can run the modified script. For Windows scripting, we can do this using “Wscript.echo”.
#TEXTEDIT DOCUMENT MALWARE CODE#
Instead of letting it execute the deobfuscated code in the “ExecuteGlobal” command, we replace this command by something that will print the parameter to output. We can piggyback on the deobfuscation that the malicious script is already performing by itself. This string is then passed as the parameter to the “ExecuteGlobal” command. In the next step, a loop runs through all the integers from the string above, translates them to characters and appends them to one large string.
![textedit document malware textedit document malware](https://www.2-spyware.com/news/wp-content/uploads/virusai/pewpew-ransomware-file-clocking-virus_en.jpg)
Unsurprisingly, using “chr()”, this is translated to “*”, which is used as the splitting character in the obfuscated string. If you calculate 31080/740 from the top of your head, you get 42. The second statement performs a split on the encoded string using “chr(EvAl(31080/740))”. The first statement assigns a large encoded string to a parameter. Let’s take a look at the contents of the Initialize function. When the script is started, it will first run “InItIalIZe()”, followed by “ExecGlOBal()”. In the script above, we can identify some “eval” statements and “executeglobal”. Some script code structures that are interesting to look for are functions that execute commands, such as: We could run it in a virtual machine and dynamically monitor actions taken by the script such as network connections or processes started, but first we’d like to have an idea of the code. In this case, we’re dealing with an obfuscated VBScript.ĭue to the obfuscation, it’s impossible to see on first sight what this script is trying to accomplish. This type of file is a Windows script file and can contain various scripting languages. The first sample we will investigate is a.
#TEXTEDIT DOCUMENT MALWARE MANUAL#
These files were already detected by automated scanners but as these are mainly malware droppers, we figured it could be interesting to do some manual analysis to determine where the actual malware is hosted. In this blog post, we will perform an analysis on some obfuscated scripts that we received.